Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

当 WatchAD 部署在域外时,可能会产生验证问题。 #5

Open
Epicccal opened this issue Jul 20, 2023 · 1 comment
Open

当 WatchAD 部署在域外时,可能会产生验证问题。 #5

Epicccal opened this issue Jul 20, 2023 · 1 comment

Comments

@Epicccal
Copy link

Epicccal commented Jul 20, 2023
edited
Loading

测试环境
域名: testad.com
KDC: Windows Server 2012 R2

  • 用户名: Administrator
  • 密码: P@ssw0rd

Ubuntu20.04 ( WatchAD2, Docker部署)

Ubuntu20.04 未加入 testad.com

在部署时,.env 文件采用如下配置

#域控配置
DCNAME="testad.com"
DCSERVER=172.16.33.144
DCUSER="administrator"
DCPWD="P@ssw0rd"

此时 watchad20_iatp 存在报错 域注册失败: 未查询到域控制器, 抓包看了下是登陆凭证无效。

image

查询了一些 文档,感觉上是 Ubuntu 在域外的原因。修改 DCUSER 值,添加域名,即能LDAP绑定成功。

// 以下两种修改方式都可以使 LDAP 绑定成功
DCUSER = "[email protected]"
DCUSER = "testad\\administrator"
image

随后进入 Web 页面,使用相同的用户名,密码登陆,发现报错 Network Errror

image

watchad20_iatp 报错如下

HTTP Server] http: panic serving 172.16.33.1:58531: runtime error: index out of range [0] with length 0
goroutine 499 [running]:
net/http.(*conn).serve.func1(0xc0005b7680)
	/usr/local/go/src/net/http/server.go:1801 +0x147
panic(0x1251060, 0xc0002c56a0)
	/usr/local/go/src/runtime/panic.go:975 +0x47a
iatp/iatp_wbm/controllers.(*UserController).PostLogin(0xc0002ac960, 0x0, 0x0)
	/go/src/iatp_opensource/iatp_wbm/controllers/user_controller.go:140 +0x856

看着是在验证成功后,查ldap去拿 displayName, 但是没拿到, entrys 为 nil。

// WatchAD2.0/iatp_wbm/controllers/user_controller.go
if login {
    c.Session.Set("authenticated", true)
    entrys := auth_client.SearchEntryByCN(user_name, []string{"displayName"}, nil)
    c.Session.Set("user_name", entrys[0].GetAttributeValue("displayName"))
} else {
    return mvc.Response{
	Code: 500,
	Object: map[string]interface{}{
		"status": 500,
		"msg":    "验证失败",
	},
    }
}

这里直接把 user_name 带入 ldap 查询。拿 ldp 试了下,只能为 administrator ; 而 [email protected]testad\administrator 这两个都不行。

image

因此这里始终存在冲突。

  1. 使用 administrator 无法查询到域控制器,但应该能登陆成功
  2. 使用 testad\administrator[email protected] 可以查询到域控制器,但登陆时会报错 "Network Error"

师傅们看下能否解决这个问题。
感谢!!!
@Cgaii
Copy link

Cgaii commented Jul 20, 2023

师傅辛苦看下最新的readme和代码,我们对配置项做了说明,看下能否解决掉报错~

@cry00001 cry00001 mentioned this issue Jul 24, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Epicccal @Cgaii